DSCI - A Self-Regulatory Organization

OECD, EU and APEC Privacy Principles form the basis of many privacy laws throughout the world and are widely accepted. The OECD Principles were first announced in 1980. The EU Data Protection Directive mandating Member States to promulgate laws in compliance with the Directive was issued in 1995. The United States, on the other hand, created Fair Information Practices that were formulated by the US Department of Housing, Education and Welfare (HEW) in 1973. Later in 1980, OECD’s Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data came into existence. The OECD Privacy Guidelines set out eight key principles for the protection of personal information. The APEC Privacy Framework is relatively more recent endorsed by APEC Ministers and Leaders in 2004; it promotes the use of nine privacy principles.

Although there are commonalities between various privacy frameworks and guidelines, the way consumer privacy is perceived is different. For example, the European Union addresses privacy of personal information through the Data Protection Directive 95/46 that stipulates the establishment of independent data protection authorities by the Member States – privacy is a fundamental right. The Directive sets forth potential derogations such as consent and model contracts, to facilitate trans-border data flows to countries that are not deemed “adequate” by the EU. These derogations have been extended to include Binding Corporate Rules (BCRs).

The United States addresses consumer privacy through sector specific and state laws on privacy of customer data that are administered by a variety of agencies. These include laws for protecting health information (HIPAA, HITECH), and financial information (GLBA) among others. These laws are further supplemented by a variety of self-regulatory mechanisms and organizations.

The European Union and the United States have signed the Safe Harbor Agreement to enable the US companies to receive the data of European citizens through the use of self-regulation, with enforcement for non-compliance through the FTC. It is based on seven privacy principles.

The APEC privacy Framework is based on the Accountability Principle under which the data protection obligations flow along with data in trans-border data flows. APEC enables economies to use both regulatory and self-regulatory elements to fashion a privacy approach that is credible while being consistent with a variety of cultures and legal frameworks.

In order to accommodate different privacy laws in various countries, APEC has placed emphasis on the practical aspects of data flows, the manner of interface between various players including companies, regulators, and governments. Cross-Border Privacy Rules (CBPRs) that are under development, along with information sharing, investigation and enforcement across borders among regulators will form an integral part of the APEC Privacy Framework.

It can be seen that the following eight principles cut across all geographies: Notice, Consent, Collection Limitation, Use Limitation, Access & Corrections, Security/Safeguards, Data Quality and Openness. APEC, EU, and Canada include two more principles namely, Accountability and Enforcement.

It is against this global privacy landscape that DSCI proposes its self-regulatory approach for the IT/BPO industry.

DSCI invites suggestion and comments on the paper attached below. Please send in your feedback to info@dsci.in with a subject line “Feedback- DSCI as SRO”